Lets Encrypt renewal and certificate synchornization

[smalchow]

Dears,

i have the following situation and i wanted to ask if someone has an idea or maybe already a solution.
I have 2 parallel opnsense machines, both in general identical and a hostname (e.g. www.hundenase.de) loadbalanced to both machines (round robin with healthcheck) and we are using the lets encrypt plugin for certificates.

How do we keep certificates on both machines updated ? If i just regularly use lets encrypt, the http challenge might always hit the "other" server so an active-active setup seems to be hard to setup

Any ideas or hints (we already thought of synchronizing the certs and just run an active-passive setup but that is not really the desired solution.

(the last solution is DNS challenge , which we would probably use if we dont find a solution with the http challenge)

cheers
soeren   

[marjohn56]

You COULD do it in a similar way to how I do my servers etc. As I use a wildcard cert for everything I let Opnsense handle the updates and then I have a script which uses rsync that uploads the certs to the web server. The same script also backs up all my configs and scripts to a local NAS. Thus if I have to rebuild Opnsense at anytime all I need to do is copy the actions.d & rc.d folders back to Opnsense, it's proved very useful.

[muchacha_grande]

...and then I have a script which uses rsync that uploads the certs to the web server...

Hi @marjohn56,
How do you trigger the script?

[marjohn56]

It's a cron event, backs up daily.

[muchacha_grande]

Are you using the "Remote backup" command of the "System > Settings > Cron" page ?

[marjohn56]

No, my own script. I use rsync; it allows me to backup entire folders or individual files

Code: [Select]

#!/bin/sh


# PROVIDE: rsync
# REQUIRE: NETWORKING


. /etc/rc.subr
# create target directories if they don't exist
ssh  admin@10.4.12.3 mkdir -p /share/Download/Opnsense/conf
ssh  admin@10.4.12.3 mkdir -p /share/Download/Opnsense/usr/local/etc/rc.d
ssh  admin@10.4.12.3 mkdir -p /share/Download/Opnsense/usr/local/opnsense/service/conf/actions.d
# copy files - never able to get rysnc to create the dirs!
rsync -arvh /conf/ admin@10.4.12.3:/share/Download/Opnsense/conf
rsync -ah /usr/local/etc/rc.d/rsync_backup admin@10.4.12.3:/share/Download/Opnsense/usr/local/etc/rc.d
rsync -ah /usr/local/etc/rc.d/dpinger_starter admin@10.4.12.3:/share/Download/Opnsense/usr/local/etc/rc.d
rsync -ah /usr/local/etc/rc.d/ping_check.sh admin@10.4.12.3:/share/Download/Opnsense/usr/local/etc/rc.d
rsync -ah /usr/local/opnsense/service/conf/actions.d/actions_dpinger.conf admin@10.4.12.3:/share/Download/Opnsense/usr/local/opnsense/service/conf/actions.d/
rsync -ah /usr/local/opnsense/service/conf/actions.d/actions_rsync_backup.conf admin@10.4.12.3:/share/Download/Opnsense/usr/local/opnsense/service/conf/actions.d/
rsync -ah /usr/local/opnsense/service/conf/actions.d/actions_pingcheck.conf admin@10.4.12.3:/share/Download/Opnsense/usr/local/opnsense/service/conf/actions.d/
# copy SSL certs to web server
rsync -ah /var/etc/acme-client/home/*.queens-park.com/*.queens-park.com.key martin@10.4.15.34:/etc/apache2/ssl/
rsync -ah /var/etc/acme-client/home/*.queens-park.com/*.queens-park.com.cer martin@10.4.15.34:/etc/apache2/ssl/
# now update the qnap - The GUI will show the old cert but the web pages actually use the new one. Have to cat them together first.
cat /var/etc/acme-client/home/*.queens-park.com/*.queens-park.com.key /var/etc/acme-client/home/*.queens-park.com/fullchain.cer > '/var/etc/acme-client/home/*.queens-park.com/stunnel.pem'
rsync -ah /var/etc/acme-client/home/*.queens-park.com/stunnel.pem admin@10.4.12.3:/etc/stunnel


The destinations all have ssh servers, so the hardest part was getting the keys into the correct places so that rsync doesn't ask for a password.

[muchacha_grande]

Very useful. 
Does your script survive an OPNSense Update? or you have to reconfigure it after updating?

[marjohn56]

No, but as I said in my first message on this thread, it creates backups on my NAS using the same folder structure as Opnsense. If I goto the NAS, open the Opnsense folder, I have two directories, usr and conf, I just copy them both back to Opnsense,  everything is restored... job done.

[muchacha_grande]

Oh... yes. I didn't catch that.
Thank you very much @marjohn56